Polygon Zero’s mission is simple: to use zero-knowledge proofs to scale Ethereum to a billion users, without compromising decentralization or security. Achieving this requires fast and efficient proof systems. Today, we’re excited to share Plonky2, a major milestone for zero-knowledge cryptography.

Plonky2 is a recursive SNARK that is 100x faster than existing alternatives and natively compatible with Ethereum. It combines PLONK and FRI for the best of STARKs, with fast proofs and no trusted setup, and the best of SNARKs, with support for recursion and low verification cost on Ethereum.

Plonky2 represents the latest step in Polygon’s ongoing commitment to building the future of Ethereum, and we’re proud to share our work with the Ethereum community.

If zero-knowledge proofs have a superpower, it’s recursion. SNARKs can verify arbitrary computations, and, since verifying a SNARK is a computation, SNARKs can verify other SNARKs.

To see why that’s useful, suppose that we want to prove that a batch of 1,000 transactions are valid. Generating a single proof to verify 1,000 transactions at once would be expensive and time-consuming.

Instead, we can take 1,000 machines and generate 1,000 proofs in parallel, one for each transaction. Next, we can take these transaction proofs and recursively aggregate them by generating a layer of recursive proofs, with each one verifying two transaction proofs. We repeat this process until we’re left with a single proof that verifies 1,000 transactions.

The recursive approach is faster, less resource-intensive, and can be more decentralized.

Efficiency

Recursive proofs are critical for blockchain scalability. When we started Mir (now Polygon Zero) in 2019, it took two minutes on a fast computer to generate a single recursive proof. 2020 brought recursive proofs to Ethereum with 60 second proving times, and the invention of Halo delivered faster recursive proofs, but without Ethereum compatibility.

In 2021, we had an audacious goal: sub-1 second recursive proofs on Ethereum. We realized that FRI, the polynomial commitment scheme used in STARKS, could offer a significant performance improvement for recursive SNARKs. At the time, this wasn’t obvious. Fractal, the only existing implementation of recursive FRI, took about 10 minutes to generate a proof.

However, FRI has some exciting properties. It allows us to use 64-bit fields, and our team discovered the Goldilocks Field, whose modulus enables extremely efficient field arithmetic on modern CPUs. When combined with PLONK, FRI allows us to write custom gates with many more wires, so we can write circuits that are optimized for efficient recursion.

This combination of mathematical insight, deep expertise in zero-knowledge cryptography, and amazing low-level optimizations allowed us to make a significant breakthrough. A recursive proof on Plonky2 takes just 170 milliseconds on a Macbook Pro, a 100x improvement over existing alternatives.

Proof Sizes

Plonky2 also allows us to speed up proving times for proofs that don’t involve recursion. With FRI, you can either have fast proofs that are big (so they’re more expensive to verify on Ethereum), or you can have slow proofs that are small. Constructions that use FRI, like the STARKs that Starkware uses in their ZK-rollups, have to choose; they can’t have maximally fast proving times and proof sizes that are small enough to reasonably verify on Ethereum.

Plonky2 eliminates this tradeoff. In cases where proving time matters, we can optimize for maximally fast proofs. When these proofs are recursively aggregated, we’re left with a single proof that can be verified in a small circuit. At this point, we can optimize for proof size. We can shrink our proof sizes down to 45kb with only 20s of proving time (not a big deal since we only generate when we submit to Ethereum), dramatically reducing costs relative to Starkware.

Compatibility

Excitingly, Plonky2 is natively compatible with Ethereum. Plonky2 requires only keccak-256 to verify a proof. We’ve estimated that the gas cost to verify a plonky2 size-optimized proof on Ethereum will be approximately 1 million gas.

However, this cost is dominated by the CALLDATA costs to publish the proof on Ethereum. If CALLDATA is repriced in EIP-4488, the verification cost of a plonky2 proof will drop to between 170-200k gas, which could make it not only the fastest proving system, but also the cheapest to verify on Ethereum.

Conclusion

Last year, Polygon laid out its commitment to supporting ZK scaling. This represented an important transition, as Polygon moved from providing an essential solution for the present to building the future of Ethereum scaling. Plonky2 is an important step on this journey, and a major breakthrough for the entire space.

ZK L2s have benefited from a lot of hype, but current solutions rely on cryptographic primitives that are inefficient and limit scalability. Ultimately, L2’s will compete on throughput and cost, and Plonky2 gives the Polygon ecosystem the opportunity to build the most performant and scalable L2s.

Join us on Github or tune in to our blog to learn more about zero-knowledge proofs. Let’s bring the world to Ethereum!

Recall this grade school experience: you raise your hand and ask, “Can I go to the bathroom?” To which your teacher responds with “I don’t know. Can you?” Might seem far fetched, but this is a perfect entry point to understanding the difference between data availability and data storage. Let's bring this analogy close to […]

We all know that Ethereum needs to scale, and we at Polygon believe that zero-knowledge (ZK) tech is the most promising pathway to get there. But that path has often seemed as if it would be long and winding. The conventional wisdom has been that the crypto space would need many years to develop Layer […]

Polygon has made a major first step toward becoming carbon negative with the retirement of $400,000 in carbon credits representing 104,794 tonnes of greenhouse gasses, or the entirety of the network’s CO2 debt since inception. The milestone comes after Polygon in mid-April released its Green Manifesto, part of its broader vision for sustainable development. The […]

If we want the entire world to join Web3, blockchains will need to handle more transactions. Monolithic blockchains can’t scale because they’re asked to perform too many tasks (execution, settlement, and data availability) at once. But if chains were able to focus on just one part of the stack at a time, the entire ecosystem […]

Polygon is pleased to reveal that it has led a $25 million funding round for Web3 venture studio SuperLayer. This partnership and funding will help spread SuperLayer’s vision of accelerating the most promising Web3 platforms and projects. SuperLayer is led by managing partners Kevin Chou and Mahesh Vellanki, both founders of multiple leading Web3 companies, […]

The Ethereum community has recently seen a flurry of zkEVM (zero-knowledge Ethereum Virtual Machine) announcements, including the unveiling of Polygon zkEVM. Given how new these technologies are and how many different approaches are being tried, it comes as no surprise that there has also been a lively debate around key concepts and terminology. What is […]

Polygon is coming to Latin America as a presenter-tier sponsor of ETHMexico. The annual gathering of Ethereum's brightest minds organized by ETHGlobal will be held on Aug. 19 - 21 in Mexico City. In preparation for the 36-hour-long hackathon, Polygon will host and mentor 25 top women builders in Web3 at our Blu3house #onPolygon. These […]